578.4 Flashcards

1
Q

What is Human operated ransomware?

A

HOR is a class of ransomware attacks where the adversary penetrates the network and tailors operation to the victim.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Threat Intelligence Platforms (TIPs)

A
MISP
Threat_Note
CRITs
ThreatConnect
ThreatQuotient
Anomali
EclecticIQ
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does MISP stand for?

A

Malware Information Sharing Platform.

Has a focus on IOCs and automation. Supports multiple formats to support. Open source with optional fees for professional support.

MISP has a strong usage in Europe due to a number of CERT’s active involvement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Best practices of storing threat intel infos

A
  • Make a common format
  • Make the method scaleable
  • Make the method secure
  • Make the method shareable
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Logical fallacies (logische Irrtümer)

A

Logical fallacies are flaws in reason. They often appear in cyber threat intelligence assessments. There are two main types:

  • Anecdotal Fallacy
  • Appeal to Probability

They occur when arguments do not logcially make sense.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Fallacies: Anecdotal Fallacy

A

Personal Experience is used over Compelling Evidence.

“I worked an incident like this before and it was China, so your analysis that it’s not must be wrong”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Fallacies: Appeal to Probability

A

Making a determination based on what’s most likely the case.

“Russia is hacking everything these days, so the intrusion is likely Russia based”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Common CTI informal fallacies

A
  • Appeal to the stone
  • Argument from Silence
  • Argument from repetition

Others:

  • Burden of Proof
  • Middle Ground
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Fallacies: Appeal to the stone

A

Identifying a claim as absurd without any proof to dismiss it.

“That’s absurd to think that the US would compromise an allied government. Let’s move on.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Fallacies: Argument from Silence

A

Accpeting a conclusion due to lack of evidence against it.

“I have proof it wasn’t the UK and no proof it wasn’t Germany. So, I assess it was Germany.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Fallacies: Argument from Repetition

A

Arguing so much that eventually people accept the conclusion to end it.

“We’ve been here for five hours; fine, Iran did the attack.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Fallacies: Burden of Proof

A

Requiring someone to disprove someone else’s claim instead of requiring proof.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Fallacies: Middle Ground

A

Making a compromise between two points an accepted truth.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Bias - Cognitive Biases

A

Cognitive Biases (Voreingenommenheit) are constraints on how we as analysts think that influence incorrect decisions and assessments. They allow analysts to create their own version of reality where inaccurate judgments and illogical interpretations occur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Bias - Mirror Image

A

Common bias that forms when you analyze a situation, person or entity with your context, background, experiences, etc. instead of theirs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Bias - Anchoring / Focusing

A

Overvaluing one piece of information. Forces an analyst to be unable to seek new information or analyze competing information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Bias - Confirmation bias

A

Selectively supporting one hypothesis. Reject refuting evidence. Greater significance to supporting data, lesser significance to contradicting data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Bias - Congruence Bias

A
  • Form of confirmation bias
  • Maps to competing Hypotheses
  • Failure to consider alternative hyptotheses
  • Risk when hypothesis fits well
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Bias - Hindsight Bias

A

“I knew it all along”. Unlikely outcome seen as obvious. Results in vicitm blaming.

20
Q

Bias - Illusory Correlation

A

Observe correlation when none exits. Common when associating an unusual or extreme experience with all future experiences. Stereotypes are the most common type of illusory correlation.

21
Q

Seven steps of analysis of competing hypotheses

A
  1. Hypothesis
  2. Evidence
  3. Diagnostics
  4. Refinement
  5. Prioritization
  6. Sensitivity
  7. Conclusion and Evaluation
22
Q

AoCH - 1: Enumerate Hyptotheses

A
  • Account for all evidence
  • Include others
  • Do not consider feasibility
  • Include unproven hypotheses
  • Exclude disproven hypotheses
23
Q

AoCH - 2: Support the Hyptoheses

A
  • Seek additional evidence
  • Include as evidence: deductions / assumptions
  • Discuss missing evidence
24
Q

AoCH - 3: Diagnostics

A

Comparison of hypotheses in a matrix of hyptheses and evidence. Analysis proceeds horizontally across the hypotheses, for each piece of evidence individually.

25
Q

AoCH - 4: Refine the Matrix

A
  • Remove nondiagnostic evidence
  • Add overlooked evidence now applicable
  • Include formulation of new hypotheses
  • Document evidence excluded
26
Q

AoCH - 5: Prioritize the Hypotheses

A

The Hypotheses in the matrix are evaluated vertically, considering each hypotheses for its relative likelihood based on the evidence presented.

27
Q

AoCH - 6: Determine Evidentiary Dependence

A
  • How many pieces of evidence are critical?
  • What is confidence in this evidence?
  • Is evidence ephemeral (flüchtig)?
28
Q

AoCH - 7: Report Conclusions

A

Final report.

  • Hypotheses considered
  • Key evidence
  • Proper estimative language
29
Q

Three different types of analysis

A
  • Link analysis
  • Data analysis
  • Trend analysis
30
Q

Common link analysis tools

A
  • Maltego
  • IBM Analyst’s Notebook
  • Palantir Gotham / Metropolis
  • Centrifuge
  • Gephi / Graphviz
  • Neo4J
  • Titan
  • Linkurious
  • Cambridge Intelligence
31
Q

Data analysis

A

Cleaning, transforming, and modeling of data. Insights revealed through new techniques, models, and correlations between datasets.

32
Q

Temporal Data Analysis

A

Analysis of data over time.Reveals patterns of activity that reoccur. Useful for trending adversarial activity.

33
Q

Trend analysis

A

Kill Chain or Diamond Model completion yields intelligence. As you detect and response to intrusions over time, you’ll begin to notice trends in intrusions.

34
Q

Style Guide

A

A Style Guide can contain anything that’s useful to you that’s going to be mid-to-long-term value to your team but, at a minium, it must include:

  • tream structure
  • accepted lexicon
  • words, phrases, and actions to not do
  • Sample structure analytical techniques
  • Sample intelligence requirements with exmaple outputs
  • Guidance to analysts on how to create clusters and finalize intelligence products
  • Key processes to follow
35
Q

Names / Identifiers

A

Name your own campaigns. Borrow names where it makes sense. Using own names is good:
- Frees analysts from reliance on others. Clarifies when your evidence defines campaigns slightly differently.

36
Q

Rosetta Stone

A

Maps known attribution, campaign names, and malware used

37
Q

One-to-One Mapping

A

Clusters cannot have a one-to-one relationship. Clusters can have links to other clusters. Links can be one or more of the Diamond Model vertices.

38
Q

Confidently Correlating Clusters

A

Visual and Link Analysis quickly identify patterns to help identify campaigns.

Quick pattern matching will incorrectly correlate some intrusions, which may eventually be key.

To confidently correlate clusters, we can use ACH mixed with Kill Chain and Diamond, as well as the Rule of 2.

39
Q

When to use AoCH for intrusion-cluster correlation?

A
  • Lack of evidence makes correlation ambiguous
  • Intrusion maps to multiple similarly defined clusters
  • Disagreement between analysts exists.
40
Q

How to use AoCH for intrusion-cluster correlation?

A
  • Follow AoCH steps
  • Classify evidence based on intrusion definition: Kill Chain or Diamond
  • Confidence in assessment informed by support in each clustering of evidence.
41
Q

External Intrusion Reports

A
  • Complement Knowledge Gaps
  • Do not merge with your data

Using the vendor info or name as your campaign name forces you to lose control of the narrative.

42
Q

Diamond Model Meta-Features

A
Timestamp (start and end)
Phase
Result
Direction
Methodology
Resources

Each core feature and its meta-features should have a confidence value.

43
Q

Six distinct steps for creating an activity group

A
  1. Analytical Problem
  2. Feature Selection
  3. Creation
  4. Growth
  5. Analysis
  6. Redefintion
44
Q

Rule of 2

A

The Rule of 2 is simply looking for consistency in intrusions in some key way to create an activity group. If the victims are the same or similar, you might have also identified a specific campaign.

45
Q

Retire Clusters

A
  • Campaign states: Active, Inactive, Dormant
  • Keep all information pertaining to clusters indefinitely
  • Future intrusions can illuminate past
  • Future clusters may correlate to past clusters
46
Q

What does ACH stand for?

A

Analysis of Competing Hypotheses